,net Users IIS

Discussion in 'ASP .Net' started by coder316, Dec 23, 2009.

  1. coder316

    coder316 Guest

    Hello,
    I just need some clarification:
    I added a user to the Membership Table using the CreateUserWizard.
    His name is "Bob"

    IIS7 shows "Bob" in the .NET Users.
    "Bob" is not in the web.config, but the status bar says its getting it
    from the web.config.


    Where was Bob given authorization if not in the web.config?
    and why does IIS say its getting his name from there?

    Thanks
     
    coder316, Dec 23, 2009
    #1
    1. Advertising

  2. coder316 <> wrote in news:5cfaa057-2299-487f-a3f7-
    :

    > I just need some clarification:
    > I added a user to the Membership Table using the CreateUserWizard.
    > His name is "Bob"


    Membership table? As in a membership table created in SQL Server
    Express? If so, that is where Bob is.

    > IIS7 shows "Bob" in the .NET Users.
    > "Bob" is not in the web.config, but the status bar says its getting it
    > from the web.config.


    You have me lost here. I am not sure what you mean when you say IIS7 is
    showing Bog is not in the web config, but the status bar says he is in
    the web.config.

    web.config stores certain variables, but not user account information
    (okay, perhaps you could create one that does that, but it is not the
    default or even "normal"). It does contain a connection string to get to
    the database.

    > Where was Bob given authorization if not in the web.config?
    > and why does IIS say its getting his name from there?


    I am not certain it is saying that, but Bob's account is in a database.
    If you went with all of the defaults, you installed SQL Express when you
    installed Visual Studio and the tables are there.

    peace and grace,


    --
    Gregory A. Beamer (MVP)

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Dec 23, 2009
    #2
    1. Advertising

  3. coder316

    coder316 Guest

    On Dec 23, 10:51 am, "Gregory A. Beamer"
    <> wrote:
    > coder316 <> wrote in news:5cfaa057-2299-487f-a3f7-
    > :
    >
    > > I just need some clarification:
    > >  I added a user to the Membership Table  using the CreateUserWizard..
    > > His name is "Bob"

    >
    > Membership table? As in a membership table created in SQL Server
    > Express? If so, that is where Bob is.
    >
    > > IIS7 shows "Bob" in the .NET Users.
    > > "Bob" is not in the web.config, but the status bar says its getting it
    > > from the web.config.

    >
    > You have me lost here. I am not sure what you mean when you say IIS7 is
    > showing Bog is not in the web config, but the status bar says he is in
    > the web.config.
    >
    > web.config stores certain variables, but not user account information
    > (okay, perhaps you could create one that does that, but it is not the
    > default or even "normal"). It does contain a connection string to get to
    > the database.
    >
    > > Where was Bob given authorization if not in the web.config?
    > > and why does IIS say its getting his name from there?

    >
    > I am not certain it is saying that, but Bob's account is in a database.
    > If you went with all of the defaults, you installed SQL Express when you
    > installed Visual Studio and the tables are there.
    >
    > peace and grace,
    >
    > --
    > Gregory A. Beamer (MVP)
    >
    > Twitter: @gbworld
    > Blog:http://gregorybeamer.spaces.live.com
    >
    > *******************************************
    > |      Think outside the box!             |
    > *******************************************


    Greg,
    Thanks
    I am not using express, I am using a Db on my host.
    I thought that the name or Role had to be in <authentication> in the
    web.config for the user to be able to see the page. Anonymous users
    are denied.
    I have <allow> for users but Bob is not one of them.
    <authorization>
    <deny users="?"/>
    <allow users="mary"/>
    <allow users="todd"/>
    </authorization>
     
    coder316, Dec 23, 2009
    #3
  4. coder316 <> wrote in news:8dd7bd50-0620-401f-b28e-
    :

    > I am not using express, I am using a Db on my host.
    > I thought that the name or Role had to be in <authentication> in the
    > web.config for the user to be able to see the page. Anonymous users
    > are denied.
    > I have <allow> for users but Bob is not one of them.
    > <authorization>
    > <deny users="?"/>
    > <allow users="mary"/>
    > <allow users="todd"/>
    > </authorization>


    Okay, now I understand. So you are testing if Bob has access and he
    does, despite not allowing him in the web.config?

    What is happening is you are not denying all users, you are merely
    saying, question whether the user has an account. That is what the deny
    statement in question is:

    <deny users="?"/>

    You can change to

    <deny users="*"/>

    and then explicitly add mary and todd, as you have. This might help
    understand the mechanism a bit:
    http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

    I have to test, but I believe ordering is important. you can also
    explicitly deny Bob, but that is not very maintainable, unless Bob is
    always the only one denied.

    Personally, I prefer using roles instead of users.

    NOTE: There are a few ways to initiate page security, depending on how
    much you need.

    1. Web.config
    2. Sitemap - if using a menu/breadcrumb (note: does not stop user from
    getting to something, necessarily, but hides the location)

    With security trimmings on with a sitemap, it will respect the security
    settings in web.config, as well (ie, not show user links he does not
    have access to). This means, for true security, web.config is the way to
    go.

    NOTE: You can exclude pages from the mix by setting them up in the
    config as exceptions. This is useful when the entire site is secure and
    you simply need to exclude the default page and login page from the mix.

    NOTE: You can secure subdirectories with their own web.config while
    leaving the root open to everyone. This is very useful when you have
    some secure pages and not others.

    Peace and Grace,

    --
    Gregory A. Beamer (MVP)

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    *******************************************
    | Think outside the box! |
    *******************************************
     
    Gregory A. Beamer, Dec 23, 2009
    #4
  5. coder316

    coder316 Guest

    On Dec 23, 11:48 am, "Gregory A. Beamer"
    <> wrote:
    > coder316 <> wrote in news:8dd7bd50-0620-401f-b28e-
    > :
    >
    > > I am not using express, I am using a Db on my host.
    > > I thought that the name or Role had to be in <authentication> in the
    > > web.config for the user to be able to see the page. Anonymous users
    > > are denied.
    > > I have <allow> for users but Bob is not one of them.
    > > <authorization>
    > >       <deny users="?"/>
    > >       <allow users="mary"/>
    > >       <allow users="todd"/>
    > > </authorization>

    >
    > Okay, now I understand. So you are testing if Bob has access and he
    > does, despite not allowing him in the web.config?
    >
    > What is happening is you are not denying all users, you are merely
    > saying, question whether the user has an account. That is what the deny
    > statement in question is:
    >
    > <deny users="?"/>
    >
    > You can change to
    >
    > <deny users="*"/>
    >
    > and then explicitly add mary and todd, as you have. This might help
    > understand the mechanism a bit:http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
    >
    > I have to test, but I believe ordering is important. you can also
    > explicitly deny Bob, but that is not very maintainable, unless Bob is
    > always the only one denied.
    >
    > Personally, I prefer using roles instead of users.
    >
    > NOTE: There are a few ways to initiate page security, depending on how
    > much you need.
    >
    > 1. Web.config
    > 2. Sitemap - if using a menu/breadcrumb (note: does not stop user from
    > getting to something, necessarily, but hides the location)
    >
    > With security trimmings on with a sitemap, it will respect the security
    > settings in web.config, as well (ie, not show user links he does not
    > have access to). This means, for true security, web.config is the way to
    > go.
    >
    > NOTE: You can exclude pages from the mix by setting them up in the
    > config as exceptions. This is useful when the entire site is secure and
    > you simply need to exclude the default page and login page from the mix.
    >
    > NOTE: You can secure subdirectories with their own web.config while
    > leaving the root open to everyone. This is very useful when you have
    > some secure pages and not others.
    >
    > Peace and Grace,
    >
    > --
    > Gregory A. Beamer (MVP)
    >
    > Twitter: @gbworld
    > Blog:http://gregorybeamer.spaces.live.com
    >
    > *******************************************
    > |      Think outside the box!             |
    > *******************************************


    Thanks, that explaned it well.
     
    coder316, Dec 23, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Don Munroe
    Replies:
    2
    Views:
    338
    Don Munroe
    Jul 28, 2004
  2. Steven Cheng[MSFT]
    Replies:
    4
    Views:
    413
    Steven Cheng[MSFT]
    Aug 25, 2004
  3. Sara rafiee
    Replies:
    3
    Views:
    1,077
    Scott Allen
    Oct 4, 2004
  4. Sunil Miriyala
    Replies:
    0
    Views:
    784
    Sunil Miriyala
    Mar 1, 2004
  5. Jon Davis
    Replies:
    3
    Views:
    615
    Jon Davis
    Jun 21, 2007
Loading...

Share This Page